Password protected directory listing

Hello, how would I go about requiring HTTP basic auth on browse's directory listings, while leaving the files themselves accessible without auth?

I have tried to use rewriting and proxying to “fall back” to another port on which I have browse and basicauth enabled but it seems the rewriting happens after the proxy’s base path is matched, or mismatched in this case, and the alternate port never recieves a request {
    root /srv/http/images
    rewrite {
        if {path} ends_with /
        to {path} /idx{path}
    proxy /idx {
        without /idx
} {
    root /srv/http/images
    browse /
    basicauth / codl hunter2

Hi @codl,

For reference, the current order of execution of directives is here:

rewrite does happen before basicauth, which happens before proxy.

You can use log / access.log "{common} /// {rewrite_uri}", which will log the result of the rewrite so you can compare it with what you expect for any given request.

I note that to {path} /idx{path} means that a request for a folder that DOES exist on disk will be rewritten to {path}, because it exists, rather than /idx{path} (the log directive will likely confirm this with some quick tests). I suspect you’d rather it rewrite existing directories to the proxy, so you could probably just remove the first {path}.

Thank you! This did the trick

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.